6 files changed, 15 insertions, 12 deletions
diff --git a/ChangeLog b/ChangeLog
index 8b5df6fde..261ca19ba 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -17,6 +17,8 @@
   - markus@cvs.openbsd.org 2001/01/18 17:12:43
     [auth-chall.c auth2-chall.c]
     rename *-skey.c *-chall.c since the files are not skey specific
+ - (djm) Merge patch from Tim Waugh (via Nalin Dahyabhai <nalin@redhat.com>)
+   to fix NULL pointer deref and fake authloop breakage in PAM code.
 
 20010118
 - (bal) Super Sized OpenBSD Resync
diff --git a/auth-pam.c b/auth-pam.c
index 07847cb9d..befb84c08 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -29,7 +29,7 @@
 #include "xmalloc.h"
 #include "servconf.h"
-RCSID("$Id: auth-pam.c,v 1.20 2000/12/20 02:34:49 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.21 2001/01/19 04:46:38 djm Exp $");
 #define NEW_AUTHTOK_MSG \
        "Warning: Your password has expired, please change it now"
@@ -323,13 +323,13 @@ void finish_pam(void)
 }
 /* Start PAM authentication for specified account */
-void start_pam(struct passwd *pw)
+void start_pam(const char *user)
 {
        int pam_retval;
-        debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
+        debug("Starting up PAM with username \"%.200s\"", user);
-        pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, &pamh);
+        pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &pamh);
        if (pam_retval != PAM_SUCCESS) {
                fatal("PAM initialisation failed[%d]: %.200s", 
diff --git a/auth-pam.h b/auth-pam.h
index ca261afeb..68d446592 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -3,7 +3,7 @@
 #include <pwd.h> /* For struct passwd */
-void start_pam(struct passwd *pw);
+void start_pam(const char *user);
 void finish_pam(void);
 int auth_pam_password(struct passwd *pw, const char *password);
 char **fetch_pam_environment(void);
diff --git a/auth1.c b/auth1.c
index 0f21c4c7c..ee165a442 100644
--- a/auth1.c
+++ b/auth1.c
@@ -414,7 +414,7 @@ do_authentication()
 #ifdef USE_PAM
        if (pw)
-                start_pam(pw);
+                start_pam(user);
 #endif
        /*
diff --git a/auth2-pam.c b/auth2-pam.c
index 498cc7461..d1d840972 100644
--- a/auth2-pam.c
+++ b/auth2-pam.c
@@ -1,5 +1,5 @@
 #include "includes.h"
-RCSID("$Id: auth2-pam.c,v 1.3 2001/01/19 04:26:52 mouring Exp $");
+RCSID("$Id: auth2-pam.c,v 1.4 2001/01/19 04:46:38 djm Exp $");
 #ifdef USE_PAM
 #include "ssh.h"
@@ -36,10 +36,8 @@ auth2_pam(Authctxt *authctxt)
        if (authctxt->user == NULL)
                fatal("auth2_pam: internal error: no user");
-        if (authctxt->valid) {
+        conv2.appdata_ptr = authctxt;
-                conv2.appdata_ptr = authctxt;
+        pam_set_conv(&conv2);
-                pam_set_conv(&conv2);
-        }
        dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
                     &input_userauth_info_response_pam);
diff --git a/auth2.c b/auth2.c
index 348c2f3a4..bab1c2ed8 100644
--- a/auth2.c
+++ b/auth2.c
@@ -210,10 +210,13 @@ input_userauth_request(int type, int plen, void *ctxt)
                        authctxt->valid = 1;
                        debug2("input_userauth_request: setting up authctxt for %s", user);
 #ifdef USE_PAM
-                        start_pam(pw);
+                        start_pam(pw->pw_name);
 #endif
                } else {
                        log("input_userauth_request: illegal user %s", user);
+#ifdef USE_PAM
+                        start_pam("NOUSER");
+#endif
                }
                authctxt->user = xstrdup(user);
                authctxt->service = xstrdup(service);